Are You Aware of the Dangers Lurking in Free Apps?

Though fun and even useful, free apps can pose security risks to your users and your business

The old adage “there’s no such thing as a free lunch” has more than a kernel of truth to it when it comes to free applications. Free apps seem harmless, and they’re very tempting. Who doesn’t want a free version of Angry Birds? What’s wrong with a free banking app from your credit card company? But even if the app itself is legitimate and thoroughly vetted, it can still pose a security risk to the device it’s running on. Free apps are more dangerous to your employees and your network than they appear at first glance.

People can easily download a wide range of free apps for their smartphones and tablets as well as for your company’s computers. From wildly popular games like Angry Birds Space (which was downloaded three million times in only three days) to fitness trackers and social media tools, there’s a free app for anything anyone would want to do on his or her mobile device. Likewise, the Internet is teeming with free apps to customize desktops and work more easily. But the problem with free is that the program use is almost always paid for through advertising or information gathering—and it’s in those aspects where the danger often lies.

Apple’s App Store and the Google Play Store do generally check each program before it’s offered for download for viruses and malicious intent. But they don’t vet the ads for malicious behavior. And because so many different ads might stream from one server to any particular app, the stores’ trawlers can’t reveal all of the different security threats that might infiltrate a system through the ads. For instance, an ad could point to a malicious website or have a virus attached to it or deposit some malware onto a device. In fact, those streaming ads offer hackers a great way to get around the marketplace controls.

If the “free to use” payment doesn’t come in the form of ad streaming, then it’s likely to come through back-end data collection. A free app could be collecting data about the user or even business data or activities on the user’s smartphone or computer. Some data collection is straightforward. Users fill in their contact information, which will be used for marketing purposes, and then is allowed to download the app. But other data collection can happen without the user’s knowledge through an app running in the background, capturing information like credit card numbers, addresses, phone numbers, and other information useful in the pursuit of identity theft or account access. Also, spyware has been discovered that captures information without the user’s knowledge, such as from a salesforce.com client or an online banking site.

It takes just one download to impact a network

Just one person needs to download one bad app to wreak havoc on your network. If a compromised smartphone connects to your local network, that compromise can spread across your business systems rapidly.

Even though many of these free apps are downloaded to personal devices like iPhones and Android-based smartphones, you can still take some steps to protect your business from them. The first step is education. Make sure employees are aware of the possible risks posed by free apps and understand how to spot potentially malicious software. Teach employees to avoid downloading free apps as much as possible; and, when it’s not, to ask what’s the intent of the app and how does it profit the creator. Some apps truly are free and harmless. But if you can’t tell how the developer is making money from it, it’s best not to download. Also, encourage employees to check out an app’s reviews before downloading it, if only to make sure they’re not among the first 1,000 test subjects.

The second step is to install security software on employees’ smartphones (or to require they install it in order to connect to your network) that will help protect against mobile malware and viruses. For instance, install a monitoring tool like Lookout Mobile Security that checks apps for viruses and possible privacy and security issues. A monitoring tool may also look for apps running in the background and abnormal activity.

The third step is to use web and content filtering technologies, such as those in the Cisco ASA 5500 Series Adaptive Security Appliances, on your network. A security appliance like the ASA 5500 Series is generally chosen to protect the local network, but it also provides an indirect yet effective way of guarding against security threats that might come through or to the employees’ personal devices. Filters can block users on personal devices from visiting known malicious sites as well as block undesired or malicious types of content from your network and to the device. Consider also separating your network into virtual LANs (VLANs), so different types of traffic or access are isolated from other types of traffic. (See this post to learn more about using VLANs on the small business network.)

More and more employees are bringing their own devices to work, and, inevitably, they will download and install free apps on them. In the end, the goal for small businesses is finding a reasonable way to allow those users access to your network with their own devices. As the Cisco 2011 Annual Security Reportstates, companies and their employees must find common ground, “with the company recognizing the individual’s need to use the device of his or her choice and the worker understanding that the company must do whatever is necessary to enforce its security policy.” For some small businesses, that might mean banning free apps from employees’ smartphones, tablets, and computers that connect to their network.

What is your company’s policy about downloading and installing free apps on devices on your network?

3 Comments.

This is too bad, i strongly oppose your view on free apps. Am an android dev. I make money via ads.
I can't sell my App. Since i have low profile. I have to find an alternative to make money either directly asking for Donate, or indirectly via ads. I do accept there might be security issues via ads. This has to be taken care by the Ad Agency., And about collecting users info by the App, one has to check the avail permission, and check the necessary before installing.
This article is like telling people not to drive vehicles, since they can cause accidents. Instead write an article on how to drive safely...

I think this is a great article that really hits the core issue that the average consumer doesn't know what's happening when they download third party apps. Even companies like Facebook and Twitter have taken users address book without permission.
Companies are learning that mobile security and the BYOD trend is an issue they need to solve now, before it's too late. I think this post (https://www.iongrid.com/blog/2012/06/18/what-are-apps-doing-your-information) does a good job at breaking down available solutions for the enterprise.
In the end, mobile security needs to be improved for both the individual and the enterprise.

Good info/goo article. Am new to PC's and just got droid 6 days ago. Was suspicious of 'Free' (always am - daddy taught me well!) so looked around. BINGO! Suspicions confirmed,will do research & get protection.
Thanks for sharing, keep up good work!

Some of the individuals posting to this site, including the moderators, work for Cisco Systems. Opinions expressed here and in any corresponding comments are the personal opinions of the original authors, not of Cisco. The content is provided for informational purposes only and is not meant to be an endorsement or representation by Cisco or any other party. This site is available to the public. No information you consider confidential should be posted to this site. By posting you agree to be solely responsible for the content of all information you contribute, link to, or otherwise upload to the Website and release Cisco from any liability related to your use of the Website. You also grant to Cisco a worldwide, perpetual, irrevocable, royalty-free and fully-paid, transferable (including rights to sublicense) right to exercise all copyright, publicity, and moral rights with respect to any original content you provide. The comments are moderated. Comments will appear as soon as they are approved by the moderator.